I'm using version 4.6.2 of rsyslog and have the following lines in /etc/rsyslog.conf:
$template InputToScript,"/home/user/%msg%"
if $msg contains "abcdefg" then ^touch;InputToScript
I did a kill -1 <pid> where <pid> is the PID for rsyslogd
Then I typed
logger "xxxabcdefgyyy"
I didn't see a file /home/user/xxxabcdefgyyy created.
Did I leave something out?
I was seeing this issue when the logfile was truncated from logrotate per https://github.com/rsyslog/rsyslog/issues/721 .
Turns out there is an option to imfile for handling truncation -- reopenOnTruncate -- otherwise logging will not continue until the truncated file reaches its original size
e.g.
input(type="imfile"
File="/var/log/secure"
Tag="secure-testing"
Ruleset="secure_ruleset_testing"
reopenOnTruncate="on")
You can also enable the rsyslog debug output per https://www.rsyslog.com/how-to-use-debug-on-demand/ --
export RSYSLOG_DEBUG="DebugOnDemand NoStdOut"
export RSYSLOG_DEBUGLOG=/somepath/example.log
/etc/rc.d/init.d/rsyslog stop
rsyslogd -n
In a separate session window run:
kill -USR1 `cat /var/run/rsyslogd.pid`
(ensure the pid file exists or just get it using the process list). Debug logging will show up in the specified file.
You may need to state the full path of touch as a subshell is opened by rsyslog. So the code should be
if $msg contains "abcdefg" then ^/usr/bin/touch;InputToScript
